Implement a comprehensive Cloud Security Posture Management framework with automated compliance checks, misconfiguration detection, drift prevention, and multi-cloud governance policies.
## ROLE
You are a cloud security architect specializing in multi-cloud security posture management. You have designed and operated CSPM programs for organizations running [CLOUD SCALE: 10-50 / 50-200 / 200-1000 / 1000+] cloud resources across [CLOUD PROVIDERS: AWS / GCP / Azure / multi-cloud]. You translate compliance requirements into automated, enforceable cloud policies.
## OBJECTIVE
Design and implement a Cloud Security Posture Management framework for [ORGANIZATION NAME] operating on [PRIMARY CLOUD: AWS / GCP / Azure] with [SECONDARY CLOUDS if multi-cloud]. The environment contains approximately [NUMBER] cloud accounts/projects, [NUMBER] VPCs/VNets, [NUMBER] compute instances, [NUMBER] storage buckets/containers, and [NUMBER] databases. The organization must comply with [COMPLIANCE FRAMEWORKS: SOC 2 / PCI DSS / HIPAA / ISO 27001 / CIS Benchmarks / FedRAMP / GDPR].
## TASK
### Phase 1: Cloud Asset Inventory and Visibility
**Complete Asset Discovery:**
Before securing your cloud, you must know what exists:
```
Asset Inventory Requirements:
- Compute: [EC2/GCE/VMs], containers ([EKS/GKE/AKS]), serverless ([Lambda/Cloud Functions/Azure Functions])
- Storage: [S3/GCS/Blob Storage], file shares, EBS volumes, snapshots
- Databases: [RDS/Cloud SQL/Azure SQL], NoSQL ([DynamoDB/Firestore/CosmosDB]), caches ([ElastiCache/Memorystore])
- Networking: VPCs, subnets, security groups, NACLs, load balancers, DNS records, VPN connections, peering
- Identity: IAM users, roles, service accounts, policies, access keys, certificates
- Secrets: KMS keys, secrets manager entries, parameter store values
- Containers: Container registries, images, running containers, orchestrator configs
```
**Implementation with [TOOL: AWS Config / GCP Cloud Asset Inventory / Azure Resource Graph / Steampipe / CloudQuery]:**
```
# Query all resources and their configuration
[INVENTORY_QUERY_COMMAND]
# Export to centralized inventory
[EXPORT_COMMAND] --format json --destination [CENTRAL_STORE]
# Tag compliance: Identify resources missing required tags
[TAG_COMPLIANCE_QUERY]
Required tags: [TAGS: environment / owner / team / cost-center / data-classification / compliance-scope]
```
**Shadow IT Detection:**
- Scan for resources created outside of IaC (Infrastructure as Code) — these represent ungoverned infrastructure
- Identify resources with no tags (orphaned resources)
- Detect resources in unauthorized regions
- Alert on new resource types never used before (potential compromise indicator)
### Phase 2: Security Baseline Definition
**CIS Benchmark Implementation for [CLOUD PROVIDER]:**
**Identity and Access Management:**
| Control | Description | Check | Severity |
|---------|-------------|-------|----------|
| IAM-01 | Root account has MFA enabled | [CHECK_COMMAND] | Critical |
| IAM-02 | No access keys exist for root account | [CHECK_COMMAND] | Critical |
| IAM-03 | MFA enabled for all IAM users with console access | [CHECK_COMMAND] | High |
| IAM-04 | Access keys rotated within [DAYS: 90] days | [CHECK_COMMAND] | High |
| IAM-05 | No inline IAM policies (use managed policies) | [CHECK_COMMAND] | Medium |
| IAM-06 | No wildcard (*) in IAM policy actions | [CHECK_COMMAND] | High |
| IAM-07 | Unused IAM credentials disabled after [DAYS: 45] days | [CHECK_COMMAND] | Medium |
| IAM-08 | Cross-account access uses external ID or conditions | [CHECK_COMMAND] | High |
**Storage Security:**
| Control | Description | Check | Severity |
|---------|-------------|-------|----------|
| STR-01 | No publicly accessible storage buckets | [CHECK_COMMAND] | Critical |
| STR-02 | Default encryption enabled on all buckets | [CHECK_COMMAND] | High |
| STR-03 | Bucket versioning enabled for [CRITICAL BUCKETS] | [CHECK_COMMAND] | Medium |
| STR-04 | Access logging enabled on all buckets | [CHECK_COMMAND] | Medium |
| STR-05 | Block public access settings enabled at account level | [CHECK_COMMAND] | Critical |
| STR-06 | No storage buckets with overly permissive ACLs | [CHECK_COMMAND] | High |
| STR-07 | Cross-region replication for [DR REQUIREMENTS] | [CHECK_COMMAND] | Medium |
**Network Security:**
| Control | Description | Check | Severity |
|---------|-------------|-------|----------|
| NET-01 | No security groups allowing 0.0.0.0/0 on SSH (22) | [CHECK_COMMAND] | Critical |
| NET-02 | No security groups allowing 0.0.0.0/0 on RDP (3389) | [CHECK_COMMAND] | Critical |
| NET-03 | Default VPC security group restricts all traffic | [CHECK_COMMAND] | High |
| NET-04 | VPC flow logs enabled for all VPCs | [CHECK_COMMAND] | High |
| NET-05 | No public IP addresses on [INTERNAL TIER] instances | [CHECK_COMMAND] | High |
| NET-06 | WAF enabled on all public-facing load balancers | [CHECK_COMMAND] | High |
| NET-07 | [DNS/FIREWALL] logging enabled | [CHECK_COMMAND] | Medium |
**Compute Security:**
| Control | Description | Check | Severity |
|---------|-------------|-------|----------|
| CMP-01 | No instances with public IP in [PRIVATE SUBNETS] | [CHECK_COMMAND] | High |
| CMP-02 | All instances use IMDSv2 (instance metadata service v2) | [CHECK_COMMAND] | High |
| CMP-03 | EBS volumes encrypted with [KMS KEY TYPE] | [CHECK_COMMAND] | High |
| CMP-04 | SSM Agent installed for patch management (no SSH bastion needed) | [CHECK_COMMAND] | Medium |
| CMP-05 | Auto-scaling groups use latest approved AMI | [CHECK_COMMAND] | Medium |
| CMP-06 | No instances running with admin/root IAM roles | [CHECK_COMMAND] | Critical |
**Database Security:**
| Control | Description | Check | Severity |
|---------|-------------|-------|----------|
| DB-01 | No publicly accessible database instances | [CHECK_COMMAND] | Critical |
| DB-02 | Encryption at rest enabled for all databases | [CHECK_COMMAND] | High |
| DB-03 | Automated backups enabled with [RETENTION: 7-35] day retention | [CHECK_COMMAND] | High |
| DB-04 | Audit logging enabled on all database instances | [CHECK_COMMAND] | Medium |
| DB-05 | SSL/TLS enforced for all database connections | [CHECK_COMMAND] | High |
| DB-06 | No default master credentials in use | [CHECK_COMMAND] | Critical |
### Phase 3: Automated Compliance Scanning
**CSPM Tool Implementation:**
Deploy [CSPM TOOL: Prowler / ScoutSuite / Prisma Cloud / Wiz / Orca / Lacework / AWS Security Hub / GCP Security Command Center / Azure Defender]:
```bash
# Automated scan configuration
[CSPM_TOOL] scan \
--cloud [PROVIDER] \
--accounts [ACCOUNT_IDS] \
--compliance [FRAMEWORK: cis-aws-1.5 / pci-dss / hipaa / soc2] \
--output [FORMAT: json / csv / html] \
--severity [MINIMUM: critical / high / medium] \
--exclude-checks [ACCEPTED_RISK_CHECK_IDS] \
--send-results-to [DESTINATION: S3 / slack / email / SIEM]
```
**Scanning Schedule:**
- Continuous: [REAL-TIME TOOL: AWS Config Rules / GCP SCC / Azure Policy] evaluates changes as they happen
- Hourly: Critical security checks (public exposure, IAM changes, encryption status)
- Daily: Full compliance scan against [PRIMARY FRAMEWORK]
- Weekly: Cross-account consolidated report to [STAKEHOLDERS]
- Monthly: Executive summary with trend analysis and risk score
### Phase 4: Drift Prevention and Auto-Remediation
**Preventive Controls (block misconfigurations before they happen):**
- [AWS: Service Control Policies / GCP: Organization Policies / Azure: Azure Policy] to enforce guardrails:
```json
{
"guardrails": [
{"rule": "Deny public S3 buckets", "scope": "[ALL_ACCOUNTS / PRODUCTION_OU]", "enforcement": "DENY"},
{"rule": "Require encryption on EBS volumes", "scope": "[ALL_ACCOUNTS]", "enforcement": "DENY"},
{"rule": "Restrict regions to [APPROVED_REGIONS]", "scope": "[ALL_ACCOUNTS]", "enforcement": "DENY"},
{"rule": "Require tags on all resources", "scope": "[ALL_ACCOUNTS]", "enforcement": "AUDIT → DENY"},
{"rule": "Block public IP assignment in [PRIVATE_SUBNETS]", "scope": "[PRODUCTION_OU]", "enforcement": "DENY"},
{"rule": "Require IMDSv2 on EC2 instances", "scope": "[ALL_ACCOUNTS]", "enforcement": "DENY"}
]
}
```
**Detective Controls with Auto-Remediation:**
For misconfigurations that slip through preventive controls:
```
Auto-Remediation Workflow:
1. [CONFIG RULE / POLICY] detects non-compliant resource
2. Evaluate severity and auto-remediation eligibility:
- Auto-fix: [LOW RISK ACTIONS: enable encryption / enable logging / add required tags / restrict security group]
- Alert + manual fix: [MEDIUM RISK: modify IAM policies / change network routes / update database settings]
- Alert only: [HIGH RISK: terminate instances / delete resources / modify production configs]
3. Execute remediation via [AUTOMATION: Lambda / Cloud Function / Azure Automation / SSM Automation]
4. Log the remediation action to [AUDIT LOG]
5. Notify [TEAM: resource owner / security team / ops team] via [CHANNEL]
6. Verify compliance after remediation
```
**Infrastructure as Code (IaC) Security:**
Prevent misconfigurations at the source — scan IaC templates before deployment:
- [IaC SCANNER: Checkov / tfsec / KICS / Terrascan / Bridgecrew] integrated into [CI PIPELINE]
- Pre-commit hooks for [IaC TOOL: Terraform / CloudFormation / Pulumi / CDK / Bicep]
- Policy as Code: Define security policies in [LANGUAGE: Rego / Sentinel / Python / YAML] that are version-controlled and reviewed like application code
- Drift detection: Compare deployed infrastructure against IaC definitions, alert on manual changes
### Phase 5: Governance and Reporting
**Security Posture Score:**
Calculate an organization-wide security posture score:
```
Posture Score = (Compliant Resources / Total Resources) × 100
Weighted by severity:
- Critical non-compliance: -10 points per finding
- High non-compliance: -5 points per finding
- Medium non-compliance: -2 points per finding
- Low non-compliance: -1 point per finding
Target: [SCORE: 90%+ / 95%+ / 98%+]
Current baseline: [CURRENT_SCORE]%
```
**Reporting Cadence:**
| Report | Audience | Frequency | Content |
|--------|----------|-----------|---------|
| Real-time dashboard | Security team | Continuous | Live posture score, active findings, remediation status |
| Team report | Engineering teams | Weekly | Their resources, their findings, their remediation progress |
| Executive summary | CISO / CTO | Monthly | Posture trend, top risks, compliance status, investment needs |
| Compliance report | Auditors / Board | Quarterly | Framework compliance %, evidence packages, remediation plans |
| Incident report | All stakeholders | As needed | Post-misconfiguration incident analysis and lessons learned |
**Accountability Model:**
- Resource owners are responsible for remediating findings on their resources within SLA
- Security team provides guidance, tooling, and escalation — not direct remediation
- Unresolved critical/high findings escalated to [ESCALATION PATH] after SLA breach
- Posture score included in [TEAM METRICS: engineering OKRs / performance reviews / team dashboards]Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
{
"guardrails": [
{"rule": "Deny public S3 buckets", "scope": "[ALL_ACCOUNTS / PRODUCTION_OU]", "enforcement": "DENY"}{"rule": "Require encryption on EBS volumes", "scope": "[ALL_ACCOUNTS]", "enforcement": "DENY"}{"rule": "Restrict regions to [APPROVED_REGIONS]", "scope": "[ALL_ACCOUNTS]", "enforcement": "DENY"}{"rule": "Require tags on all resources", "scope": "[ALL_ACCOUNTS]", "enforcement": "AUDIT → DENY"}{"rule": "Block public IP assignment in [PRIVATE_SUBNETS]", "scope": "[PRODUCTION_OU]", "enforcement": "DENY"}{"rule": "Require IMDSv2 on EC2 instances", "scope": "[ALL_ACCOUNTS]", "enforcement": "DENY"}[ORGANIZATION NAME][NUMBER][INVENTORY_QUERY_COMMAND][EXPORT_COMMAND][CENTRAL_STORE][TAG_COMPLIANCE_QUERY][CLOUD PROVIDER][CHECK_COMMAND][CRITICAL BUCKETS][DR REQUIREMENTS][INTERNAL TIER][PRIVATE SUBNETS][KMS KEY TYPE][CSPM_TOOL][PROVIDER][ACCOUNT_IDS][ACCEPTED_RISK_CHECK_IDS][PRIMARY FRAMEWORK][STAKEHOLDERS][ALL_ACCOUNTS][APPROVED_REGIONS][PRIVATE_SUBNETS][PRODUCTION_OU][AUDIT LOG][CHANNEL][CI PIPELINE][CURRENT_SCORE][ESCALATION PATH]